Jeffrey Yasskin

Why the E-privacy Directive is broken

Some privacy advocates argue that if a website is behaving ethically by keeping visitors’ data private, it doesn’t need cookie banners in the EU. They also argue that the proliferation of cookie banners is an instance of malicious compliance rather than illustrating a problem with the law.

The other day, a Vivaldi employee accidentally illustrated why this stance is mistaken. I don’t mean to pick on this person or Vivaldi in particular: they mean well, and their confusion is widespread. They wrote:

Load any of our websites and you see no cookie banner and no mention of partners.

https://vivaldi.com

“But wait” you say, “didn’t those terrible Europeans mandate the cookie banner!?”

No, no they did not. We do not need a cookie banner because we are not selling all your shit to every company under the sun.

Also those sites with cookie banners are just doing malicious compliance. This was never about the EU requiring cookie banners!

However, if you visited vivaldi.com on or before March 19, 2026 (archive), you would have found that it did set 2 cookies: _pk_id.4.d431 and _pk_ses.4.d431. Vivaldi’s privacy policy (archive) describes these as “Anonymous Performance Cookies”, and separates them from the “Strictly Necessary Cookies”.

This turns out to be a problem under the EU E-privacy Directive. This directive requires that

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

These cookies were stored without consent, and they’re not strictly necessary, so they’re banned by EU regulations.1 After I mentioned this, Vivaldi seems to have agreed, and the cookies were gone by March 21.

Vivaldi’s cookies should have been just fine. They were measuring how many people visited their websites, and not abusing anyone’s data. But the law doesn’t make that distinction, so they had to stop measuring.

The proposed “Digital Omnibus” bill starts to improve this. Article 88a in the proposal includes

  1. Storing of personal data, or gaining of access to personal data already stored, in the terminal equipment of a natural person is only allowed when that person has given his or her consent, in accordance with this Regulation.
  2. Paragraph 1 does not preclude storing of personal data, or gaining of access to personal data already stored, in the terminal equipment of a natural person, based on Union or Member State law within the meaning of, and subject to the conditions of Article 6, to safeguard the objectives referred to in Article 23(1).
  3. Storing of personal data, or gaining of access to personal data already stored, in the terminal equipment of a natural person without consent, and subsequent processing, shall be lawful to the extent it is necessary for any of the following:
    1. carrying out the transmission of an electronic communication over an electronic communications network;
    2. providing a service explicitly requested by the data subject;
    3. creating aggregated information about the usage of an online service to measure the audience of such a service, where it is carried out by the controller of that online service solely for its own use;
    4. maintaining or restoring the security of a service provided by the controller and requested by the data subject or the terminal equipment used for the provision of such service.

Unfortunately,

I hope the continued development of the Digital Omnibus bill makes it clear that measurement cookies are allowed without consent.

Footnotes

  1. This rule has been understood to apply to websites storing data but not to native mobile apps storing data. I don’t know why there would be such a distinction. The whole directive focuses on “electronic communications networks”, but mobile apps are served over those just as much as websites are. App install could act as some sort of consent, but it doesn’t provide even as much “clear and comprehensive information … about the purposes of the processing” as cookie banners provide.